Finally got around to implementing a new FIM management agent (MA) with a custom extension that disables active directory (AD) user accounts.
This has been sitting on my whiteboard list of todo items for some time. It didn't turn out too difficult but I had to make some changes to another MA which was conflicting with an attribute flow from what I can tell. That along with some new custom code and MA did the trick.
There was some original (written by a MS consultant) code/setup for disabling users that exist in the FIM management agent (for the portal). The basic idea that was partially implemented - a custom field in the FIM MA and portal which drives updating the Windows user account control flags (reference) through the Active Directory MA & extension.
The custom field in the portal is updatable. A change to the field ends up in the FIM connector space and propagates to the metaverse (MV). The MV value flows to the Active Directory (AD) MA which has a custom extension which translates the flag to the appropriate user account control flag value and manages OU changes to the account. When the custom field indicates to disable a user then logical-or the user account control with 0x2. When the user is re-enabled then logical-and the user account control flag with a negated 0x2.
We only keep certain users in the FIM MA and portal for performance reasons so the
original design wasn't 100% useful and was never fully implemented. It did provide the basic framework for my final solution though.
So what I ended creating is a database feed (new table/views) going to the new MA which has a C# extension. The database is populated from a utility I created which the local security team has access to. The new DB feed replaces the custom field in the FIM MA but still updates the same metaverse (MV) data which feeds into the AD MA. So the largest change was removing the existing FIM MA support and replacing it with the new MA. The remaining changes were more cleanup in nature with some changes needed to simply get things working which had not been fully implemented initially.
At some point, a more general tool will be created to populate the DB table feed and decentralized security teams will have access to it.
No comments:
Post a Comment